Make certificate/private key configuration fallible

ctz · ctz · commit 6af14172940a · 2025-08-14T13:08:36.000+01:00
diff --git a/src/conf.rs b/src/conf.rs
@@ -180,7 +180,7 @@ impl SslConfigCtx {
             State::ApplyingToCtx(ctx) => {
                 // the "Certificate" command after `SSL_CONF_CTX_set_ssl_ctx` is documented as using
                 // `SSL_CTX_use_certificate_chain_file`.
-                ctx.get_mut().stage_certificate_chain(cert_chain);
+                ctx.get_mut().stage_certificate_chain(cert_chain)?;
                 ActionResult::Applied
             }
             State::ApplyingToSsl(_) => {
diff --git a/src/entry.rs b/src/entry.rs
@@ -283,8 +283,10 @@ entry! {
                     }
                 };
 
-                ctx.get_mut().stage_certificate_chain(chain);
-                C_INT_SUCCESS as i64
+                match ctx.get_mut().stage_certificate_chain(chain) {
+                    Err(e) => e.raise().into(),
+                    Ok(()) => C_INT_SUCCESS as i64,
+                }
             }
             Ok(SslCtrl::SetTlsExtServerNameArg) => {
                 ctx.get_mut().set_servername_callback_context(parg);
@@ -479,8 +481,10 @@ entry! {
             Err(err) => return err.raise().into(),
         };
 
-        ctx.get_mut().stage_certificate_chain(chain);
-        C_INT_SUCCESS
+        match ctx.get_mut().stage_certificate_chain(chain) {
+            Ok(()) => C_INT_SUCCESS,
+            Err(e) => e.raise().into(),
+        }
     }
 }
 
@@ -523,8 +527,10 @@ entry! {
         let x509 = OwnedX509::new_incref(x);
         let ee = CertificateDer::from(x509.der_bytes());
 
-        ctx.get_mut().stage_certificate_end_entity(ee);
-        C_INT_SUCCESS
+        match ctx.get_mut().stage_certificate_end_entity(ee) {
+            Ok(()) => C_INT_SUCCESS,
+            Err(e) => e.raise().into(),
+        }
     }
 }
 
@@ -958,8 +964,10 @@ entry! {
                     }
                 };
 
-                ssl.get_mut().stage_certificate_chain(chain);
-                C_INT_SUCCESS as i64
+                match ssl.get_mut().stage_certificate_chain(chain) {
+                    Ok(()) => C_INT_SUCCESS as i64,
+                    Err(e) => e.raise().into(),
+                }
             }
             Ok(SslCtrl::GetNegotiatedGroup) => ssl
                 .get()
@@ -1448,8 +1456,10 @@ entry! {
         let x509 = OwnedX509::new_incref(x);
         let ee = CertificateDer::from(x509.der_bytes());
 
-        ssl.get_mut().stage_certificate_end_entity(ee);
-        C_INT_SUCCESS
+        match ssl.get_mut().stage_certificate_end_entity(ee) {
+            Ok(()) => C_INT_SUCCESS,
+            Err(e) => e.raise().into(),
+        }
     }
 }
 
diff --git a/src/lib.rs b/src/lib.rs
@@ -678,11 +678,17 @@ impl SslContext {
         self.cert_callback = callbacks::CertCallbackConfig { cb, context };
     }
 
-    fn stage_certificate_end_entity(&mut self, end: CertificateDer<'static>) {
+    fn stage_certificate_end_entity(
+        &mut self,
+        end: CertificateDer<'static>,
+    ) -> Result<(), error::Error> {
         self.auth_keys.stage_certificate_end_entity(end)
     }
 
-    fn stage_certificate_chain(&mut self, chain: Vec<CertificateDer<'static>>) {
+    fn stage_certificate_chain(
+        &mut self,
+        chain: Vec<CertificateDer<'static>>,
+    ) -> Result<(), error::Error> {
         self.auth_keys.stage_certificate_chain(chain)
     }
 
@@ -933,11 +939,17 @@ impl Ssl {
         self.mode == ConnMode::Server
     }
 
-    fn stage_certificate_end_entity(&mut self, end: CertificateDer<'static>) {
+    fn stage_certificate_end_entity(
+        &mut self,
+        end: CertificateDer<'static>,
+    ) -> Result<(), error::Error> {
         self.auth_keys.stage_certificate_end_entity(end)
     }
 
-    fn stage_certificate_chain(&mut self, chain: Vec<CertificateDer<'static>>) {
+    fn stage_certificate_chain(
+        &mut self,
+        chain: Vec<CertificateDer<'static>>,
+    ) -> Result<(), error::Error> {
         self.auth_keys.stage_certificate_chain(chain)
     }
 
diff --git a/src/sign.rs b/src/sign.rs
@@ -34,12 +34,20 @@ pub struct CertifiedKeySet {
 }
 
 impl CertifiedKeySet {
-    pub fn stage_certificate_chain(&mut self, chain: Vec<CertificateDer<'static>>) {
+    pub fn stage_certificate_chain(
+        &mut self,
+        chain: Vec<CertificateDer<'static>>,
+    ) -> Result<(), error::Error> {
         self.pending_cert_chain = Some(chain);
+        Ok(())
     }
 
-    pub fn stage_certificate_end_entity(&mut self, end: CertificateDer<'static>) {
+    pub fn stage_certificate_end_entity(
+        &mut self,
+        end: CertificateDer<'static>,
+    ) -> Result<(), error::Error> {
         self.pending_cert_end_entity = Some(end);
+        Ok(())
     }
 
     pub fn commit_private_key(&mut self, key: EvpPkey) -> Result<(), error::Error> {

Original file line number	Diff line number	Diff line change
`@@ -180,7 +180,7 @@ impl SslConfigCtx {`
`180`	`180`	`State::ApplyingToCtx(ctx) => {`
`181`	`181`	// the "Certificate" command after `SSL_CONF_CTX_set_ssl_ctx` is documented as using
`182`	`182`	// `SSL_CTX_use_certificate_chain_file`.
`183`		`- ctx.get_mut().stage_certificate_chain(cert_chain);`
	`183`	`+ ctx.get_mut().stage_certificate_chain(cert_chain)?;`
`184`	`184`	`ActionResult::Applied`
`185`	`185`	`}`
`186`	`186`	`State::ApplyingToSsl(_) => {`
Original file line number	Diff line number	Diff line change
`@@ -283,8 +283,10 @@ entry! {`
`283`	`283`	`}`
`284`	`284`	`};`
`285`	`285`
`286`		`- ctx.get_mut().stage_certificate_chain(chain);`
`287`		`- C_INT_SUCCESS as i64`
	`286`	`+ match ctx.get_mut().stage_certificate_chain(chain) {`
	`287`	`+ Err(e) => e.raise().into(),`
	`288`	`+ Ok(()) => C_INT_SUCCESS as i64,`
	`289`	`+ }`
`288`	`290`	`}`
`289`	`291`	`Ok(SslCtrl::SetTlsExtServerNameArg) => {`
`290`	`292`	`ctx.get_mut().set_servername_callback_context(parg);`
`@@ -479,8 +481,10 @@ entry! {`
`479`	`481`	`Err(err) => return err.raise().into(),`
`480`	`482`	`};`
`481`	`483`
`482`		`- ctx.get_mut().stage_certificate_chain(chain);`
`483`		`- C_INT_SUCCESS`
	`484`	`+ match ctx.get_mut().stage_certificate_chain(chain) {`
	`485`	`+ Ok(()) => C_INT_SUCCESS,`
	`486`	`+ Err(e) => e.raise().into(),`
	`487`	`+ }`
`484`	`488`	`}`
`485`	`489`	`}`
`486`	`490`
`@@ -523,8 +527,10 @@ entry! {`
`523`	`527`	`let x509 = OwnedX509::new_incref(x);`
`524`	`528`	`let ee = CertificateDer::from(x509.der_bytes());`
`525`	`529`
`526`		`- ctx.get_mut().stage_certificate_end_entity(ee);`
`527`		`- C_INT_SUCCESS`
	`530`	`+ match ctx.get_mut().stage_certificate_end_entity(ee) {`
	`531`	`+ Ok(()) => C_INT_SUCCESS,`
	`532`	`+ Err(e) => e.raise().into(),`
	`533`	`+ }`
`528`	`534`	`}`
`529`	`535`	`}`
`530`	`536`
`@@ -958,8 +964,10 @@ entry! {`
`958`	`964`	`}`
`959`	`965`	`};`
`960`	`966`
`961`		`- ssl.get_mut().stage_certificate_chain(chain);`
`962`		`- C_INT_SUCCESS as i64`
	`967`	`+ match ssl.get_mut().stage_certificate_chain(chain) {`
	`968`	`+ Ok(()) => C_INT_SUCCESS as i64,`
	`969`	`+ Err(e) => e.raise().into(),`
	`970`	`+ }`
`963`	`971`	`}`
`964`	`972`	`Ok(SslCtrl::GetNegotiatedGroup) => ssl`
`965`	`973`	`.get()`
`@@ -1448,8 +1456,10 @@ entry! {`
`1448`	`1456`	`let x509 = OwnedX509::new_incref(x);`
`1449`	`1457`	`let ee = CertificateDer::from(x509.der_bytes());`
`1450`	`1458`
`1451`		`- ssl.get_mut().stage_certificate_end_entity(ee);`
`1452`		`- C_INT_SUCCESS`
	`1459`	`+ match ssl.get_mut().stage_certificate_end_entity(ee) {`
	`1460`	`+ Ok(()) => C_INT_SUCCESS,`
	`1461`	`+ Err(e) => e.raise().into(),`
	`1462`	`+ }`
`1453`	`1463`	`}`
`1454`	`1464`	`}`
`1455`	`1465`
Original file line number	Diff line number	Diff line change
`@@ -678,11 +678,17 @@ impl SslContext {`
`678`	`678`	`self.cert_callback = callbacks::CertCallbackConfig { cb, context };`
`679`	`679`	`}`
`680`	`680`
`681`		`- fn stage_certificate_end_entity(&mut self, end: CertificateDer<'static>) {`
	`681`	`+ fn stage_certificate_end_entity(`
	`682`	`+ &mut self,`
	`683`	`+ end: CertificateDer<'static>,`
	`684`	`+ ) -> Result<(), error::Error> {`
`682`	`685`	`self.auth_keys.stage_certificate_end_entity(end)`
`683`	`686`	`}`
`684`	`687`
`685`		`- fn stage_certificate_chain(&mut self, chain: Vec<CertificateDer<'static>>) {`
	`688`	`+ fn stage_certificate_chain(`
	`689`	`+ &mut self,`
	`690`	`+ chain: Vec<CertificateDer<'static>>,`
	`691`	`+ ) -> Result<(), error::Error> {`
`686`	`692`	`self.auth_keys.stage_certificate_chain(chain)`
`687`	`693`	`}`
`688`	`694`
`@@ -933,11 +939,17 @@ impl Ssl {`
`933`	`939`	`self.mode == ConnMode::Server`
`934`	`940`	`}`
`935`	`941`
`936`		`- fn stage_certificate_end_entity(&mut self, end: CertificateDer<'static>) {`
	`942`	`+ fn stage_certificate_end_entity(`
	`943`	`+ &mut self,`
	`944`	`+ end: CertificateDer<'static>,`
	`945`	`+ ) -> Result<(), error::Error> {`
`937`	`946`	`self.auth_keys.stage_certificate_end_entity(end)`
`938`	`947`	`}`
`939`	`948`
`940`		`- fn stage_certificate_chain(&mut self, chain: Vec<CertificateDer<'static>>) {`
	`949`	`+ fn stage_certificate_chain(`
	`950`	`+ &mut self,`
	`951`	`+ chain: Vec<CertificateDer<'static>>,`
	`952`	`+ ) -> Result<(), error::Error> {`
`941`	`953`	`self.auth_keys.stage_certificate_chain(chain)`
`942`	`954`	`}`
`943`	`955`